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Abstract.  The  paper  presents  a  minimal  proof  theory  which  is  adequate  for  prov¬ 
ing  the  main  important  temporal  properties  of  reactive  programs.  The  properties 
we  consider  consist  of  the  classes  of  invariance,  response,  and  precedence  properties. 
For  each  of  these  classes  we  present  a  small  set  of  rules  that  is  complete  for  verify¬ 
ing  properties  belonging  to  this  class.  VVe  illustrate  the  application  of  these  rules 
on  several  examples.  VVe  discuss  concise  presentations  of  complex  pro'fs  using  the 
devices  of  transition  tables  and  proof  diagrams. 
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1  Introduction 

In  this  paper  we  present  a  minimal  proof  theory  that  is  adequate  for  proving  interesting 
properties  of  reactive  systems.  Reactive  systems  are  systems  (and  programs)  whose  main 
role  is  to  maintain  an  ongoing  interaction  with  their  environment,  rather  than  to  pro¬ 
duce  some  final  result  on  termination.  Such  systems  should  be  specified  and  analyzed  in 
terms  of  their  behaviors,  i.e.,  the  sequences  of  states  or  events  they  generate  during  their 
operation.  The  claiss  of  reactive  systems  includes  programs  such  as  operating  systems, 
programs  controlling  industrial  plants,  embedded  systems,  and  many  others.  It  is  clear 
that  it  also  includes  the  classes  of  concurrent  and  distributed  programs  since,  independent 
of  the  goal  and  purpose  of  the  complete  system,  each  component  of  the  system  has  to  be 
studied  in  terms  of  the  interaction  it  maintains  with  the  other  components. 

A  reactive  program  may  be  viewed  as  a  generator  of  computations  which,  for  simplicity, 
we  may  assume  to  be  infinite  sequences  of  states  or  events.  In  the  ca.se  that  the  program 
does  terminate,  we  may  always  extend  the  finite  computation  it  has  generated  by  an 
infinite  sequence  of  duplicate  states  or  dummy  events  to  obtain  an  infinite  computation. 

An  important  approach  to  the  specification  and  verification  of  reactive  systems  is 
based  on  specifying  a  program  by  listing  several  properties,  representing  requirements 
that  the  program  ought  to  satisfy.  This  approach  enjoys  the  advantages  of  abstraction 
and  modularity. 

By  abstraction  we  mean  that,  since  the  specifier  lists  separate  properties  and  is  not 
required  to  show  how  they  can  be  integrated  or  to  worry  about  how  they  may  interact  with 
one  another,  he  is  not  tempted  to  overspecify  or  actually  design  the  system.  Consequently, 
this  approach  leads  to  specifications  which  are  free  of  implementation  bias. 

By  modularity  we  mean  that  a  property-list  based  specification  is  \'ery  easy  to  modify 
by  dropping,  adding  or  modifying  a  single  property.  Also,  the  process  of  verifying  that  a 
proposed  implementation  satisfies  its  specification  can  be  done  in  a  modular  fashion,  by- 
verifying  each  property  separately. 

Several  formal  approaches  have  been  proposed  over  the  years  for  expressing  and  ver¬ 
ifying  properties  of  programs,  including  the  language  of  temporal  logic  [Pnu77.  Lam8.3] 
and  the  formalism  of  predicate  automata  [AS89,  MP87].  The  theoretical  investigations 
into  the  questions  of  the  expressibility  of  the  specification  language  and  the  completeness 
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of  the  proof  theory  associated  with  these  formal  approaches  grew  into  a  large  i>oiiy  ot 
knowledge.  This  may  create  the  false  impression  that  all  that  bu<iy  uf  knowledge  i>  ev 
sential  for  the  application  of  the  methodology,  and  tlial  a  heavy  investment  in  learning 
ail  this  theoretical  material  is  necessary. 

One  of  the  points  we  would  like  to  demonstrate  in  tliis  paper  is  that  a  very  little  general 
(temporal)  theory  is  required  to  handle  the  most  important  properties  of  <  ijn<  urrent 
programs  that  ocf-ur  in  practice.  The  types  of  properties  on  which  a  praclu  iiu,'  r*  rijit  f 
typically  spends  the  most  time  usually  fall  into  a  few  simple  classes,  l^v  presenting  a 
simple  but  complete  set  of  rules  for  verifying  properties  belonging  to  each  of  i  best-  <  iasses, 
we  provide  the  practicing  verifier  with  precisely  the  tools  that  are  needed.  { Vniseciuentiy. 
the  approach  we  take  in  this  paper  is  to  circumvent  the  genera!  theory  ol  temporal  logic 
and  proceed  as  directly  as  possible  to  the  introduction  of  the  classes  of  properties  tlial  are 
most  frequently  verified  and  to  the  proof  rules  that  are  appropriate  lor  their  verification 
We  consider  three  classes  of  properties,  wdiich  we  believe  to  rover  most  of  the  i>roperiies 
one  would  ever  wish  to  verify  for  a  reactive  program. 

To  express  the  properties  of  programs,  we  use  a  specification  language,  wtiose  budding 
blocks  are  state  formulas  (also  called  assertions).  These  are  first-order  formulas  whirii 
describe  program  states  that  can  arise  in  a  computation. 

The  three  classes  we  consider  are: 

•  Invariance  -  An  invariance  property  refers  to  an  assertion  p.  and  requires  that  p  is 
an  invariant  over  all  the  computations  of  a  program  P,  i.e..  all  the  states  arising 
in  a  computation  of  P  satisfy  p.  In  temporal  logic  notation,  such  properties  are 
expressed  by  Dp,  for  a  state  formula  p. 

•  Response  -  A  response  property  refers  to  two  cissertions  p  and  q,  and  requires  that 
every  p-state  (a  state  satisfying  p)  arising  in  a  computation  is  eventually  followed 
by  a  q-state.  In  temporal  logic  notation  this ’s  written  as  p=>-Oq. 

•  Precedence  -  A  simple  precedence  property  refers  to  three  aissertions  p.  q.  and  r.  It 
requires  that  any  p-state  initiates  a  9-interval  (i.e.,  an  interval  all  of  w'hose  states 
satisfy  9)  which,  either  extends  to  the  end  of  the  computation,  or  is  termin'“ted  by 
an  r-state.  Such  a  property  is  useful  for  expressing  the  requirement  that.  tjHowing 
a  certain  condition  p,  event  r  will  precede  event  9. 

In  temporal  logic,  this  property  is  expressed  by  p=>-(-'9)  Wr,  using  die  rvaiting-for 
operator  (weak  until)  W.  More  complex  precedence  properties  reff  i  to  a  sequence  of 
assertions  90,  •  • . ,  9m-i,  and  replace  the  requirement  of  a  single  9  interval  by  requiring 
a  9o-interval,  followed  by  a  9rinterval,  . . . ,  followed  by  a  9„.  -interval. 

We  refer  the  reader  to  [MP91a]  for  a  top-down  approach,  whirii  presents  the  most  general 
proof  rules  possible.  Here,  however,  we  take  the  opposite  approach  of  presenting  rules 
that  are  closely  tailored  for  these  restricted  classes. 

2  Programs  and  Computations 

The  basic  computational  model  we  use  to  represent  programs  is  that  of  a  fair  transition 
system.  In  this  model,  a  program  P  consists  of  the  following  components. 
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•  V'  =  {ui . u,i}  -■  A  finite  set  of  statf  variablts.  Some  of  these  variaihes  repre 

sent  data  variables,  which  are  explicitly  manipulated  by  tlie  proEfram  text.  Other 
vaiiables  are  control  variables,  which  rer  resent,  for  example,  the  lot  at  ion  oi  runtrol 
in  each  of  the  processes  in  a  cone. n rent  program.  We  assume-  each  variable  x<.)  be 
associated  with  a  nonempty  domain  over  which  it  ranges. 

We  define  a  state  s  to  be  a  type  consistent  interpretation  tif  V  .  assicniiig  to  <‘a<  ii 
variable  €  V’  a  value  ,s’[u|  over  its  domain.  We  clenote  by  1  the  si-t  of  all  s!,tte>. 

•  0  -  The  initial  condition.  This  is  a  satisfiable  a.ssertion  characterizing  all  the  nutia! 
states,  i.e..  states  at  which  the  computation  of  tlie  program  can  start.  .\  state  is 
defined  to  be  initial  if  it  satisfies  0. 

•  T  -  A  set  of  transitions.  Each  tratisition  r  6  T  is  associated  with  an  a.ssert!on 

called  the  transilton  relation,  which  may  refer  to  both  unpnmed  and 
primed  versions  of  the  state  variables.  The  purpose  of  the  tran.sition  relation  p*  is 
to  express  a  relation  between  a  state  .s  and  its  successor  .s'.  We  use  the  unpnmeii 
version  to  refer  to  values  in  s,  and  the  primed  version  to  refer  to  values  in  .s'.  E-or 
example,  the  assertion  t  +  I  states  that  the  value  of  i  in  s'  is  greater  by  1  than 
its  value  in  s. 

•  J  <ZT  :  A  set  of  jusi  transitions  (also  called  u’eaWt/ /air  transitions).  Intuitively,  the 
requirement  of  justice  for  r  6  disallows  a  computation  in  which  r  is  continually 
enabled  but  not  taken  beyond  a  certain  point. 

We  define  the  state  s'  to  be  a  r-successoroi  the  state  s  if  the  assertion  Pt(  V .  V  ')  is  satisfied 
by  (s,s'),  the  joint  interpretation  which  interprets  x  €  V'  as  s[x],  and  interprets  x'  as  -s'lxj. 
Following  this  definition,  we  can  view  the  transition  r  as  a  function  t  :  E  2*'.  defined 
by: 

t(s)  =  {s'  I  s'  is  a  r-successor  of  s}. 

We  say  that  the  transition  r  is  enabled  on  the  state  s  if  r(s)  ^  <p.  Otherwise,  we  say  that 
T  is  disabled  on  s.  The  enabledness  of  a  transition  r  can  be  expressed  by  the  formula 

En{r): 

which  is  true  in  s  iff  s  has  some  r-successor. 

We  require  that  every  state  s  €  S  has  at  least  one  transition  enabled  on  it.  This 
is  often  ensured  by  including  in  T  the  idling  transition  (also  called  the  stuttering 
transition),  whose  transition  relation  is  p,  :  {V  =  V).  Thus,  .s'  is  a  r, -successor  of  x  iff 
s'  ~  s. 

Assume  a  program  P  for  which  the  above  components  have  been  specified.  Consider 

an  infinite  sequence  of  states  of  P.  We  say  that  transition  r  6  T  is  enabled  at  po.sitwn 
A:  of  <7  if  r  is  enabled  on  Sk.  We  say  that  the  transition  r  is  taken  at  position  k  if  .Sk+y  is 
a  r-successor  of  Sk.  Note  that  several  different  transitions  can  be  considered  as  taken  at 
the  same  position. 

The  sequence  cr  is  defined  to  be  a  computation  of  P  if  it  satisfies  the  following  require¬ 
ments: 
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•  Initiality:  .sq  is  initial, 

•  CoTisecutton:  For  each  j  =  0.  1 . the  state  is  a  r-successor  of  t  lie  sialt*  >  . 

i.e,.  e  'r(.Sj),  for  some  r  g  T. 

•  Justice:  For  each  transition  r  g  T.  it  is  at  the  case  that  r  is  rontijniaiiv  enafiled 
beyond  some  position  j  in  cr,  i.e..  r  is  enabled  at  every  position  k  >  j.  wiiile  '  is 
not  taken  beyond  j. 

W  e  say  that  a  state  ,s  is  P- accessible  if  it  appears  in  some  cotnjnitalion  of  P.  (  leariv.  anv 
r-successor  of  a  F-accessible  state  is  also  P-accessible. 

We  refer  the  reader  to  [MP91b]  for  a  more  comprehensive  notion  of  a  fair  transi¬ 
tion  system  that  specifies  also  a  set  of  compassionate  (strongly  fair)  transitions.  Fiie 
requirement  of  compassion  is  relevant  only  for  programs  that  use  special  synchronization 
constructs  such  as  semaphores  or  message  passing  statements.  In  the  examples  presented 
here  concurrent  processes  communicate  by  shared  variables,  so  there  is  no  need  for  the 
compassion  component, 

We  assume  an  underlying  assertional  language,  which  contains  the  predicate  calculus 
and  interpreted  symbols  for  expressing  the  standard  operations  and  relations  over  some 
concrete  domains.  We  refer  to  a  formula  in  the  assertional  language  as  an  assertion. 

For  an  assertion  p  and  a  state  s  such  that  p  holds  on  s.  we  say  that  s  is  a  p- state.  For 
a  computation  cr  :  so,Si, . . such  that  s_,  is  a  p-state,  we  call  j  a  p-position. 

3  The  Main  Examples:  Mutual  Exclusion 

For  our  main  examples  we  use  two  programs  that  have  been  proposed  as  solutions  to  the 
mutual  exclusion  problem. 

The  simple  version  of  the  mutual  exclusion  problem  considers  two  processes  that  need 
to  coordinate  access  to  a  shared  resource.  This  shared  resource  may  represent  a  shared 
variable  or  a  device,  such  as  a  disk  or  printer,  that  needs  to  be  accessed  exclusively,  i.e., 
protected  from  interference. 

Solutions  to  the  mutual  exclusion  problem  are  presented  by  programs  that  contain 
two  concurrent  processes.  Each  process  contains  two  schematic  statements:  statement 
Non-Critical  and  statement  Critical.  Statement  Non-Critical  represents  the  independent 
activity  of  the  process.  It  stands  for  an  arbitrary  complex  segment  of  the  program  that 
represents  all  the  processing  that  requires  no  coordination  with  the  other  process.  It 
is  not  even  required  that  this  statement  terminates.  Nontermination  of  the  non-critical 
statement  corresponds  to  the  situation  in  which  a  certain  process  needs  no  further  access 
to  the  shared  resource.  Statment  Critical  (usually  referred  to  as  the  critical  statement  or 
critical  section)  represents  all  the  activity  that  has  to  be  performed  in  protected  mode.  For 
this  activity,  we  require  eventual  termination.  Nontermination  of  the  critical  statement 
corresponds  to  one  process  appropriating  the  shared  resource  and  never  releasing  it  to  the 
other  process.  This  is,  in  general,  an  unacceptable  behavior. 

An  important  aissumption  about  both  of  these  schematic  statements  is  that  they  do 
not  modify  any  of  the  variables  that  are  used  in  the  protocol  for  coordination  between 
the  two  processes. 

We  present  two  solutions  to  the  mutual  exclusion  problem. 
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local  yi,!/2  :  boolean  where  yi  =  f,  =  f 
.s  ;  integer  where  5  =  1 


r  (0  '■  loop  forever  do 

rno  :  loop  forever  do 

“ 

■ 

Non-Critical 

rui  :  .\’on-('rilical 

(2 

li 

H 

"i2  :  .Vi  T 

(3 

s  ;=  1 

!! 

:  .s  :=  2 

u 

await  (-ly-i)  V  (s  =  2) 

;  await  (, “’.yi)  V  (.'.•  =  1 ) 

Critical 

ms  :  Critical 

. 

.^6 

yi  f 

2 

li 

t  - 

_ 

-  P.  -  ~  P2~ 


Figure  1:  Program  PET:  Peterson's  algorithm  for  mutual  exclusion. 


3.1  Peterson’s  Program 

Peterson  s  solution  to  the  mutual  exclusion  problem  [Pet83]  is  presented  in  h"ig.  1.  The 
basic  mechanism  protecting  the  critical  sections  is  provided  by  the  boolean  variables  j/i 
and  t/2-  Each  process  P,,  i  =  1,2.  that  is  interested  in  entering  its  critical  section  sets  its 
y,  variable  to  t.  On  exiting  the  critical  section,  the  corresponding  y,  is  reset  to  f. 

The  problem  with  this  simple-minded  approach  is  that  the  two  processes  may  arrive 
at  their  waiting  positions,  £4  and  1714  respectively,  at  about  the  same  time,  with  both 
yi  =  y2  =  T.  If  the  only  criterion  for  entry  to  the  critical  section  was  that  the  y,  of  the 
competitor  be  false,  this  situation  would  result  in  a  deadlock  (tie). 

The  variable  s,  ranging  over  {1,2},  is  intended  for  breaking  such  ties.  It  may  be 
viewed  as  a  signature,  in  the  sense  that  each  process  that  sets  its  y,  variable  to  x  also 
writes  its  identity  number  in  s  at  the  next  statement.  Then,  if  both  processes  are  at  the 
waiting  position,  the  first  to  enter  will  be  Pj  such  that  s  ^  i.  For  i  =  1.2.  let  ;  denote 
the  index  of  the  other  process.  The  fact  that  s  —  j  means  that  the  competitor.  Pj,  was 
the  last  to  reach  the  waiting  position  and  therefore  P,  should  have  priority. 

3.2  Dekker’s  Program 

Another  program  we  study  is  Dekker’s  algorithm  for  mutual  exclusion  [DijbSj.  This  wcis 
one  of  the  earliest  correct  solutions  (possibly  the  first)  to  this  problem. 

Similar  to  Peterson’s  algorithm,  each  of  the  processes  in  Dekker's  solution,  also  uses  a 
boolean  variable  y,,  i  =  1,2,  that  expresses  the  interest  of  the  process  to  enter  its  critical 
section.  Process  Pi  starts  by  setting  its  pi  variable  to  x.  It  then  tests  the  y,  value  of 
its  competitor.  If  the  competing  y,  is  found  to  equal  r,  P,  enters  its  critical  section 
immediately.  In  case  of  a  tie,  i.e.,  both  processes  have  y,  =  x.  we  use  a  tie-breaker,  the 
variable  t  (short  for  turn).  This  variable  ranges  over  {1,2},  and  the  process  whose  number 
is  t  has  the  higher  priority.  To  ensure  fair  accessibility,  process  P,  sets  variable  t  to  the 
value  corresponding  to  its  rival  on  exit  from  the  critical  section. 

Dekker’s  algorithm  is  presented  in  Fig.  2. 

Let  us  follow  Pi  on  exit  from  the  non-critical  section.  This  is  wdiere  the  protocol  of 
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local  pi.yi  ■  boolean  where  yi  =  f.  i/j  f 
t  :  integer  where  t  ~  I 


■  f 

0  :  loop 

forever  do 

■ 

rriQ  :  loop 

forever  do 

1 

i 

rc:  : 

Smn-CTitical 

?ti,  : 

'Von-(  'ritical 

1 

li 

rf/>  :  y,  T 

£3  :  while  y^  do 

m?  ;  while  yi  do 

£4  :  if  (t  =  2)  then 

rn.t  :  if  / 7  =  J  )  then 

'  Fs ;  yi  :=  F 

!i 

m=  ;  y,  ;=  F 

£fi  :  await  (f  =  I ) 

THg  :  aw'ait  (7  --  2i 

£7  ■■  yi  :=  T 

7717  ■  112  •“  T 

fg  ■  (’ritical 

TTig  :  Critical 

£9  ■  ^ 

:=  2 

my  ;  f 

;=  1 

.  £10  :  yi  ■•=  F 

J 

. 

m,o  ;  y2  ■=  f 

. 

-  P,  -  -  P,  - 

Figure  2:  Program  DEKKER:  Dekker's  algorithm  for  mutual  exclusion. 


coordination  between  the  two  processes  starts.  Process  Pj  sets  at  (2  its  ,yi  variable  to  T.  It 
then  enters  a  while  loop  that  continues  as  long  as  Pj  detects  =  T.  Process  P\  identifies 
this  situation  as  a  tie.  Tie  breaking  is  accomplished  by  one  of  the  processe.s  recognizing 
it  has  a  lower  priority,  resetting  its  y,  variable  to  F,  and  then  waiting  for  its  priority  to 
rise.  This  happens  for  Pj  in  ^$-£7.  On  the  other  hand,  if  P;  recognizes  it  has  a  higher 
priority,  it  waits  for  y2  to  become  false.  This  happens  for  Pi  in  the  tight  loop  consisting 
of  (3  and  £4  where,  due  to  <  =  1,  it  never  enters  the  region  £$-£7.  Process  P\  enters  its 
critical  section  at  only  when  it  detects  y2  =  F.  After  termination  of  the  critical  section. 
Pj  first  sets  t  to  2  and  then  resets  yi  to  F. 


4  A  Program  as  a  Fair  Transition  System 

Let  us  consider  how  program  DEKKER  (presented  in  Fig.  2)  can  be  viewed  as  a  fair 
transition  system. 

Below,  we  identify  the  four  components  of  a  fair  transition  system,  namely,  state 
variables,  transitions,  initial  condition,  and  justice  set,  for  program  DEKKER.  This  enables 
us  to  view  the  program  as  a  fair  transition  system,  and  to  apply  to  it  the  verification 
methods  that  will  later  be  presented  for  general  fair  transition  systems. 

State  Variables 

The  state  variables  V  are  given  by 


jr,  yi,  y2,  t. 

Variable  tt  is  a  control  variable  that  ranges  over  sets  of  program  locations.  At  any  .‘^tate 
of  a  computation  of  DEKKER,  tt  =  for  i,j  6  {0,...,  10}.  w’henever  process  P,  is 
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currently  in  front  of  the  statement  labeled  and  is  currently  in  front  of  the  >ta!en!t'nl 
labeled  rn,. 

Variables  yx.yi.t  naturally  represent  the  current  values  of  the  correspondine  pnjifran! 
variables. 


Initial  Condition 

The  initial  condition  0  is  given  by  the  assertion 

0  :  (tt  =  {4.  mo})  A  A  -’.V2  A  (f  =  1) 

Thus,  at  the  initial  state  of  the  program,  the  two  processes  reside  at  their  initial  lucauons 
io.nio.  the  two  boolean  variables  yx,y-2  are  initialized  to  F,  and  /  is  initialized  to  i. 

VVe  introduce  several  abbreviations  for  referring  to  the  location  of  control. 

af_T  ;  X  n  {4' •  ■  • '  ^10}  =  {fi} 

:  x  H  {mo, . . . .  mio}  =  {m,} 

Thus,  implies  ^  k  and  also  that  4  ^  ^  J  7^  Similar  implications  hold 

for  af_m,. 

To  express  the  movement  of  control  effected  by  transitions,  we  use  the  following 
abbreviations; 


mot>e(4,4)  •  ^  ^  —  {^t}  0  {4  }) 

move{m,,mj)  :  at^m,  A  (x' —  x  —  {m,}  U  {m^}) 

Clearly,  mone(4,  4)  describes  the  movement  of  process  Pi  from  4  to  4- 

Transitions 

In  order  to  avoid  tedious  repetition,  we  will  present  only  some  of  the  transitions  for 
process  Pi.  W'e  will  concentrate  on  the  transitions  that  correspond  to  the  different  types 
of  statements  appearing  in  the  considered  program.  We  refer  the  reader  to  [MP91bj  for  a 
fuller  account  of  the  transitions  corresponding  to  the  different  types  of  statements. 

In  defining  the  transition  relation  pr  corresponding  to  the  transition  r,  we  adopt  the 
convention  by  which  a  variable  whose  primed  version  does  not  appear  explicitly  in  the 
formula  is  preserved  by  the  transition.  Thus,  if  y  is  a  state  variable  and  y'  does  not  appear 
in  pr,  the  clause  y'  =  y  is  considered  as  an  implicit  conjunct  of  the  formula. 

There  is  precisely  one  transition  corresponding  to  each  statement  4  in  P .  and 
one  transition  Tm,  for  each  statement  in  P2.  We  denote  their  transition  relations  by  p/, 
and  Pm.,  respectively.  Transition  relations  that  have  two  possible  actions  as  a  result  of 
testing  a  condition,  such  as  a  while  or  a  conditional  statement,  are  usually  represented  as 
a  disjunction  pj  V  where  pj  represents  the  Ccise  that  the  test  evaluates  to  t,  while  pi. 
represents  the  case  that  the  test  evaluates  to  F. 

•  pt^  ;  moue(4,4} 

This  transition  corresponds  to  the  case  that  Pi  is  at  4  and  moves  inside  the  loop 
statement. 
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•  p/,  :  m{)i'c(£i,f2) 

This  transition  represents  the  termination  of  the  non-critirai  section. 

•  pt^  :  moi’e(£2.4)  A  {y[  =  t) 

This  transition  corresponds  to  the  case  that  process  Pi  moves  from  ij  to  *  )  wfiile 
setting  yi  to  T.  Similar  transitions  are  included  for  the  assignment  stalemeii's  »- 
and  fg. 

•  Pf^  ■  Ph  V  Ph' 

p]^  :  move.({:iJ^)  A  y-i 

pfj  :  moi’e{£3,4)  A -'1/2 

The  first  disjunct  of  this  transition  relation  corresponds  to  the  case  that  the  test  of 
the  while,  statement  holds  (i.e.,  y2  =  x).  In  this  case  Pi  moves  to  The  second 
disjunct  corresponds  to  the  case  that  the  test  evaluates  to  F.  as  a  result  of  which. 
Pj  moves  to 

•  PA  :  Pu  ^  Pa  ' 

p]^  :  move[(.4,is)  A[t  =  2) 

pf^  :  move(£4,  ^3)  A  (t  ^  2) 

If  f  =  2  then,  according  to  pj^,  Pi  moves  from  £4  to  £5.  Otherwise  it  skips  the  body 
of  the  conditional  statement  and  returns  to  the  while  statement  at  £3. 

•  :  Tnove{£e,£7)  A  {t  =  \) 

The  transition  corresponding  to  the  await  statement  at  £&  is  enabled  only  if  it.« 
condition  t  =  1  is  true.  When  taken,  it  moves  from  £e  to  £7. 

•  ;  mot;e(^7,4)  A  (t/(  =  x) 

This  transition  sets  yi  to  x  and  moves  from  £7  to  the  beginning  of  the  while  statement 
at  £3. 

•  p(^  :  moue(4,4) 

This  transition  represents  the  termination  of  the  critical  section. 

•  p/-,o  ;  moue(4o,4)  A  {y[  =  f) 

This  transition  sets  yj  to  F  and  moves  to  4  to  repeat  the  body  of  the  loop. 

A  similar  set  of  transitions  corresponds  to  the  statements  of  P2. 

In  addition  to  the  transitions  corresponding  to  statements  of  the  program,  we  include 
the  idling  transition  r^,  whose  transition  relation,  according  to  our  conventions,  can  be 
written  as: 


P;  :  T 
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Justice  Set 

As  the  set  of  just  transitions,  we  take  al!  the  transitions  except  for  r, .  .  and  r.,,  . 

Transition  is  excluded  since  it  is  necessary  only  if  no  other  transition  is  etiahled.  and 
there  is  no  reason  to  insist  that  it  will  be  used. 

The  exclusion  of  transitions  and  r„,,  from  the  justice  set  allows  either  of  tlie 
processes  to  remain  continuously  in  its  non-critical  section  from  a  certain  iioint  on.  .Vote 
that  including  74  and  in  the  justice  set  guarantees  that  each  execution  of  the  criticai 
sections  must  terminate. 

5  Invariance  Properties 

An  invariance  property  is  a  property  that  can  be  specified  by  a  for-  'ula  of  the  form 


□P, 

for  an  assertion  p.  In  this  section,  we  present  several  rules  for  proving  the  valiiiitv  of 
invariance  properties  over  al!  computations  of  a  program  P. 

5.1  A  Basic  Invariance  Ruie 

For  a  transition  r  and  state  formulas  p  and  q,  we  define  the  verification  condition  of  r. 
relative  to  p  and  q,  denoted  {p}T{q},  to  be  the  implication; 

{pr  ^p)~*  q\ 

where  pr  is  the  transition  relation  corresponding  to  r,  and  q\  th’  primed  version  of  tlie 
assertion  q,  is  obtained  from  q  by  replacing  each  variable  occurring  in  q  by  its  primed 
version.  Since  pr  holds  for  two  states  s  and  s'  iff  s'  is  a  r-successor  of  .s,  and  q'  states  that 
q  holds  on  s',  it  is  not  difficult  to  see  that 

if  the  verification  condition  {p}'r{<j'}  is  valid,  then  every  r-successor  of  a  p-slate 
is  a  g-state. 

For  a  set  of  transitions  T  C  T,  we  denote  by  {pITft/}  the  conjunction  of  verification 
conditions,  containing  the  conjunct  {p}T{g}  for  each  r  G  T.  In  particular,  {p}T  {q} 
denotes  the  conjunction  of  verification  conditions  for  all  r  €  T. 

The  following  abbreviations  are  used  to  refer  to  the  location  of  control  in  i.e.,  after 
the  transition. 

at'_£,  :  7r'n{£o,.-.,Ao}  =  {^i} 

at'_mi  :  tt' D  {mo, . . . ,  mio}  =  {m,} 

Since  the  transition  relation  Pr  often  contains  a  conjunct  of  the  form  moeef/’,.  f ,  1.  we 
list  below  some  implications  o.  this  formula.  They  can  be  used  to  simplify  verification 
conditions. 

move{£,,(j)  implies;  •  for  all  k  i. 

•  for  all  k  ^  j. 

•  at'_mk  r-t-  at^TUk  for  all  k. 

Symmetric  implications  follow  from  move{mi,mj). 
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The  Rule 

A  basil'  rule  for  pruvins  mvariaiue  properties  is  rule  B  IN\  . 

H-INV  !  Basie  Itivanatiee  rule ) 

B 1 .  e  —  /> 

!  \pYT\p\ 

\ _  _ 

Premise  B1  ui  rule  B-iNV  ensurt's  that  ;»  liuKls  in  the  first  'itate  ui  a  (  lU!! juil  at  ton  ^inet-  it 
is  implied  by  (-).  Premise  B2  ensures  that  auv  sueeessor  of  a  /(  ■-rate  ia  state  sdt!*'!'en!e  in 
is  also  a  restate,  it  follows  that  p  hoUls  on  ail  states  of  everv  (  ompiit  at  ion  <<f  proitra.m  /' 
and.  therefore,  Gp  is  valid  over  P. 

Example 

Consider  an  alistrart  fair  transition  system  .''’i  with  a  single  state  variable  r.  an  initial 
condition  jt  =  0,  and  a  single  transition  r  whose  transition  rtdation  is  given  bv  /i.  ;  x’  — 
-r  2.  Note  that  r  is  always  enab'eti  ami  ran  be  taken  an  nniimiled  numfier  of  times. 
This  system  has  a  single  computation,  given  bv 

(jT  ;  0}.  {j-  :  2).  (t  :  1).  ... 

We  wish  to  prove  for  this  system  the  trivial  invariance  property 

j  >  0. 

To  prove  this  property,  we  use  rule  B-INV  with  p  :  (x  >0).  The  rule  reijuires  showing  the 
validity  of  the  following  two  premises: 

Bl.  X  =  0  -*  X  >  0 

B2.  x'’  =  x-4-2Aj>0  — *  x'>0 

Clearly,  these  two  implications  are  valid,  which  establishes  the  invariance  of  x  >  0. 

5.2  A  Rule  for  Incremental  Proofs 

.An  assertion  p  that  satisfies  premises  Bl  and  B2  of  rule  B-INV  is  called  induct ivf .  Rule 
B-INV  claims  that  every  inductive  assertion  is  invariant.  However,  the  other  direction  of 
this  claim  is  not  true.  There  may  be  invariant  eissertions  that  are  not  inductive.  For 
example,  the  g^sertion  p  :  x  ^  1  is  invariant  over  system  Si  described  above,  but  is  not 
inductive.  This  is  because  premise  B2  for  this  choice  of  p  is  not  a  first-order  tautology. 

One  remedy  to  this  situation  is  provided  by  strengthening .  We  find  a  stronger  assertion 
T.  i.e..  an  a.ssertion  that  implies  p,  which  is  inductive.  Rule  B-INV  is  used  to  establish  that 
F  is  invariant,  and  then  we  use  the  monotonicity  property  of  invariance  for.  mlas  given 
by  rule  MON-INV. 

Rule  MON-INV  (Monotonicity  of  Invariances): 

{r  —  p  .  □>F}  F  Op 
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For  example,  to  prove  the  invariance  of  p  :  r  f  \  over  s\  ste!n  .  we  noi\  take  iht' 
stronger  assertion  r  ;  trcnlx)  and  show  that  it  is  uiduciive.  Rule  B  !N\  est ahii'-iie:-  tfie 
invariance  of  -r  .  Observing  »lial  f  i'cn(  x)  im[jlie>  x  9^  I ,  the  reMih  follows  bv  rule  Mi  )N  iw 
.^n  alternative  approach  to  ])ruving  in%ariain't‘  of  nonindui  ti'.u'  a-sert  loti-  is  prov  uie.i 
by  rule  INC-IN'V. 

I  INC'-INV  ( ln<  reinental  hivanance  rule  I 


I  lRAAe.}7{/;| 

i  _ !=J _ 

I _ _ I 

The  rule  assumes  that  several  invariants,  □-k'l . Dri.  have  lieen  prrnen  befor<>.  |H>ssihl\ 

by  previous  applications  of  rules  B-INV  and  INc-iyv  in  combination  with  MON-INV  I  heii. 
premise  13  establishes  a  verification  condition  whose  left-hand  side  contains  the  lonjuiu 
ticn  A  F,  in  addition  to  the  assertion  p.  Assume  that  a  :  is  a  computation  of 

program  P.  and  that  premises  11-13  are  valid.  Then  premise  12  ensures,  as  Indore,  that 

assertion  p  holds  at  sq.  Let  .s,  be  a  /estate.  Since  assertions  -rj . x'c  are  invariant  over 

P.  s,  satisfies  the  conjunction  pAAr,.  By  premise  13.  s,+i  satisfies  p.  It  follows  that  any 
successor  of  a  p-state  is  also  a  p-state.  and  therefore,  p  is  invariant  over  P. 

5.3  Mutual  Exclusion  for  Peterson’s  Program 

We  use  the  presented  rules  to  establish  the  main  in%’ariance  property  of  program  PKT. 
This  is  the  property  of  mutual  exclusion,  stating  that  processes  and  P>  cannot  execute 
their  critical  sections  at  the  same  time.  It  it  specified  by  the  invariance  formula 

□  -’(at_^5  A  at-ms). 

Thus,  we  have  to  show  that  assertion  q  :  Aat^ni^)  is  invariant  over  program  PET. 

Simple  Range  Invariants 

First,  we  establish  a  list  of  invariants  that  restrict  the  range  of  values  that  variable  .s  rnay 
assume  and  relate  the  values  of  pi.3/2  to  the  locations  of  Pi,  P2,  respectively. 

To  facilitate  the  expression  of  these  invariants,  we  introduce  the  following  abbrevia¬ 
tions  for  k  <r: 

at-Ck..T  ’■  at-£k  V  at^ik+i  V  •  •  •  V 
at^mk..T  '■  at_mfc  V  a<_mfc4.i  V  •  •  •  V  at_mr 

The  assertions  whose  invariance  states  the  described  range  restrictions  are: 


7o 

s  =  1 

V 

5  =  2 

Pi 

y\ 

4-4 

J/2 

4— > 

Assertion  ‘Ao  states  that  s  can  only  assume  the  values  1  or  2.  As.sprtion  Px  states  that 
t/i  =  T  precisely  when  Pi  is  executing  at  one  of  the  locations  ^3-4-  A.ssertion  ’•d  states  a 
similar  property  for  Pj. 
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Let  us  see,  for  example,  how  the  invariance  of  an  assertion  such  as  ;  >  =  1  v  •-  = 
is  established.  We  apply  rule  B-INV  with  p  —  ro-  There  are  two  premises  to  \enfv. 

Premise  II  requires  showing  that  0  :  t  =  {Li.mo}  A  A  ~yi  A  s  =  i  miplies  the 
assertion  s  =  I  V  s  =  2.  This  is  obvious. 

Premise  12  requires  consideration  of  the  verification  conditioti  ip.  A  r'lii  —  A',,  fur 
every  transition  r  in  the  program.  There  are  some  simple  heuristics  that  ha  us  discard 
immediately  many  transition.s  as  automatically  guaranteed  to  preserve  A,,.  Tin-  siiiijtlrst 
and  most  effective  one  is; 

.■\1I  transitions  tliat  do  not  modify  any  of  the  variables  on  which  A  depends 
are  guaranteed  to  preserve 

This  heuristic  leads  immediately  to  the  conclusion  that,  for  the  assertion  An  :  =  1  v>  =  2. 

we  should  only  be  concerned  with  the  transitions  that  modify  s.  These  are  /  ,  and  ru  !. 
The  verification  condition  for  f  j  can  be  written  as 


■Co 


which  is  obviously  valid.  The  verification  condition  for  rn3  is  similarly  valid. 

We  thus  conclude  that  the  assertion  -Po  :  s  =  1  V  s  =  2  is  an  invariant  of  the  program. 


As  a  slightly  less  trivial  case,  let  us  establish  the  invariance  of  assertion  r'l  ;  j/t  ♦— 
bet  us  concentrate  on  proving  premise  12.  While  the  expression  af-fs  ,j  is  defined 
in  terms  of  the  control  variable  rr  that  is  modified  by  every  non-idling  transition  of  the 
program,  it  is  not  difficult  to  see  that  the  only  transitions  that  affect  the  value  of  the 
expression  g  as  a  whole  are  those  that  either  enter  or  exit  the  range  ^3  Te.  Conse¬ 

quently,  we  only  have  to  consider  the  transitions  ^2  ^.nd  /g.  Their  verification  conditions 
can  be  written  as 

mot>e(^2.4)  A  yj  =  T  A  •••  -*  t/l  *-*  at'Jx.^ 

' - - - '  ' - . - - 

P/j  Yi 

mox;e(4.4)  A  y(  =  F  A  •  •  •  -*  y[  *-* 


Since  move{i2,(3)  implies  from  which  follows  at'_^3..6-  and  movelfg,  fo)  implies 

from  which  follows  these  verification  conditions  are  valid. 

It  is  clear  that  these  are  the  only  transitions  that  change  the  values  of  variable  y,  or 
the  expression  on  which  depends. 

We  conclude  that  “Pi  :  yi  ^  is  an  invariant  assertion. 


An  Incremental  Proof 

Now,  let  us  consider  the  main  invariant  assertion  q  :  A  at-ma).  We  begin  by  at¬ 

tempting  to  prove  it  by  rule  INC-INV,  taking  as  a  previously  proven  invariant  assertion. 
Premise  12  is  trivially  valid.  For  premise  I3,  we  identify  the  only  relevant  transitions  as 
£4  and  7714.  The  verification  condition  for  (4  can  be  written  as 

move(£4.  fs)  A  (-’y2  V  s  =  2)  A  -'(at^£s  Aaf-mg)  A  7/2  *-*  “‘(afL/’j  A  nt'_ms) 

^  . . . .  I  I  > .  . ✓  _ _ , 
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Since  mov(:{( 4.  i-:,)  implies  -'at-is-  and  we  (  an  siinplifN  t  hi' 

implication  to 

ai_f4  A  s  —  2  — ♦  -'Ut^nis. 

which,  in  view  of  >?q  :  s  =  1  V  s  =  2.  can  be  written  as 

at_f4  A  at^jn^  — ♦  s  =  1 .  i  !  i 

Obviously,  implication  (1)  is  not  a  hrst-ortier  tautology.  Cunseciuenll}’.  if  we  i)eiieve  iha! 
q  :  -'{af_l5  A  at_ni^)  is  an  invariant  of  program  PE:T.  we  should  adopt  (li  as  aisofin't 
invariant  assertion.  By  this  and  a  symmetric  argument  for  /A.  we  add  to  the  Hst  of 
invariant  assertions  the  following  two  assertions: 

■Pi  ■  A  ai-THs  — ♦  .s  =  1 

V2  :  A  at^m^  — ♦  s  =  2 

It  is  also  clear  that  if  these  two  are  invariant  titen  they  complete  the  proof  of  invariance 
of  q  :  -'(at-fs  A  at^rris). 

Let  us  use  rule  INC-INV  to  prove  the  invariance  of  -P-i.  W'e  use  the  previously  proven 
invariant  ri  ■  yi  Premises  II  and  12  are  obvious.  For  premi.se  Id.  the  only 

crucial  transitions  are  ^3  (changing  from  F  to  t),  (changing  at_rn,=,  to  t).  and 

m3  (setting  s  to  2). 

The  corresponding  verification  conditions  are 
•  •  ■  A  s'  =  I  A  •  •  • 

mot’e(m4,  ms)  A  (-’yi  V  .s  =  1 )  A  •••  A  yi 

^  ^  N.  Ill .  . . ■■■ . ✓ 

moveims,  1x14)  A  ■  ■  ■  A  ■  ■  ■ 

>1  II  I  ■„ 

Pm3 

The  verification  condition  for  £3  is  trivially  valid.  In  the  verification  condition  for  m^. 
mot;e(m4,m5)  implies  at'_^4  —  at_£4,  and  s'  =  s.  If  at. £4  =  F,  then  the  condition  is  true 
since  ai'_t4  A  s'  =  1  reduces  to  F  A  s'  =  1.  If  01.(4  —  T  then,  by  P],  y\  =  t 

and,  therefore,  the  clause  -lyi  V  s  =  1  implies  s  =  s'  =  1.  The  verification  condition  for 
m3  follows  from  the  observation  that  moue(m3, m4)  implies  -<at'_ms. 

This  establishes  the  invariance  of  assertion  ¥^2  :  at.£4Aat.m$  — +  s  =  1.  The  invariance 
of  t'i  :  at.i^  A  at.m4  — »  s  =  2  is  established  in  a  symmetric  way.  This  concludes  the 
proof  of  mutual  exclusion  for  program  PET. 

5.4  Mutual  Exclusion  for  Dekker’s  Program 

We  proceed  to  establish  several  invariants  for  Dekker’s  program,  which  together  yield  the 
desired  mutual  exclusion  property. 


^1/ 

—4  ai'_(4  A  ■  ■  ■  s'  =  i 

’’’ nil  .11 .  -I--  1  III 

— »  •  •  •  A  af'.TTZs  -4  ■ .  • 
'^2 
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Simple  Range  Invariants 

First,  we  establish  a  list  of  invariants  that  restrict  llie  range  of  values  that  \aiiablf  f  iii,s> 
assume  and  relates  the  values  of  .Vi,y2  to  the  locations  of  fV  Pi.  respeciivelv. 

9o  :  (^  =  1)  V  (f  =  2) 

Pi  •  i/l  (<tt-f3..5  V  af_f8..Jo) 

U'j  :  i/2  (<it_m3..5  V  af.mg.  io) 

Invariant  Po  states  that  t  can  only  assume  the  values  1  or  2.  Invariant  -r'l  states  that  i/i  =  T 
precisely  when  Pi  is  executing  at  one  of  the  locations  ^3-^5  or  at  one  of  the  lucations  t  kj. 
Invariant  t-’j  states  a  similar  property  for  Pi.  All  three  of  these  assertions  are  induct  ivc. 

Proving  Mutual  Exclusion 

After  establishing  the  range  invariants,  we  proceed  to  establish  the  main  invariance  prop¬ 
erty  of  Dekker's  program,  namely,  that  of  mutual  exclusion.  Instead  of  only  forbidding 
joint  execution  of  statements  and  mg,  we  prove  a  stronger  exclusion  property,  given  by: 

q  :  A  at-mg.no)- 

This  assertion  establishes  mutual  exclusion  of  the  regions  fg  .io  and  mg  10. 

To  show  that  aissertion  q  is  preserved  under  all  transitions  (i.e..  premise  12  of  rule 
B-INV),  we  use  the  following  heuristic: 

To  show  that  the  assertion  ^  is  preserved  under  all  transitions,  it  is  sufficient 
to  consider  only  those  transitions  that  may  potentially  falsify  P.  i.e.,  change  v 
from  T  to  F. 

Since  assertion  q  is  equivalent  to  the  disjunction' -'af.^g,, 10  V  -’at.mg  .io,  and  each 
transition  in  the  program  can  change  at  most  one  of  the  disjuncts  but  not  both,  the  only 
potentially  falsifying  transitions  are  those  that  falsify  one  of  the  disjuncts  while  the  other 
is  already  false.  Consequently,  we  need  only  consider  transitions  (3  and  m3  in  the  cases 
that  the  respective  while  conditions  are  false.  This  leads  to  the  following  verification 
conditions: 


mone(^3,4)  A -15/2  A  •••  -+  “’(at'_4..io  A  aP_mg,,io) 


mou e( m3, mg)  A -lyi  A  •••  — +  A  af'_mg..io) 


Consider  the  case  of  Since,  move{£3,(s)  implies  at-E^  =  at'_£s  =  T  and  a/'.mg  .io  = 
af_mg  .io,  it  is  sufficient  to  show 

~^y2  -*  -‘O't-'m&.AQi 

which  follows  from  :  j/2  (ai-^3..5  V  at^ms.Ao)-  The  condition  for  is  established 

in  a  symmetric  way. 

This  proves  the  property  of  mutual  exclusion  for  Dekker's  program. 

As  we  will  see  below,  additional  invariants  are  needed  for  the  proof  of  the  response 
properties  of  program  DEKKER.  We  will  develop  them  as  they  are  needed. 
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6  Response  Properties 

Next  to  be  considered  is  the  claiss  of  response  properties.  The  typical  response  property 
is  expressed  by  the  formula 

for  assertions  p  and  q.  A  sequence  of  states  cr  is  said  to  .satisfy  the  response  furinnla 
p=^“0<?  if  every  p-position  r  >  0  is  followed  by  a  p-position  j  >  t.  Such  a  re.sponse  formula 
is  said  to  be  valid  over  the  program  P  (also  called  P-valid).  denoted  P  ^  (p=>-0</i.  if  all 
the  computations  of  P  satisfy  the  formula.  This  means  that  every  ocrurrence  (T  ia  state 
satisfying}  p  in  the  execution  of  P  is  followed  by  an  occurrence  of  q.  We  will  often  omit 
the  prefix  P  (=  when  stating  the  validity  of  a  response  formula  over  P. 

The  temporal  logic  adepts  will  recognize  =>-0  as  the  combination  of  the  two  operators 
=>-  and  O  (see  for  example  [MP89]).  However,  for  our  purpose  here  it  suffices  to  view  it 
as  a  single  binary  temporal  operator,  whose  semantics  has  been  defined  above,  it  is  very 
similar  to  the  Itads-to  operator  of  Unity  ([CM88)). 

The  following  axioms  and  rules  identify  the  basic  properties  of  the  response  operator 
=i^. 


Axiom  RFLX  (Reflexivity  of  Response): 

P=>Op 

This  axiom  expresses  the  fact  that  every  p-position  is  trivially  followed  by  a  p-position, 
namely  itself. 

Rule  TRNS  (Transitivity  of  Response): 

{p=i-09 , 9=^Or}  h  p=^-<>r 

This  rule  states  the  transitivity  of  the  response  operator.  It  claims  that  if  every  p-position 
is  followed  by  a  q'-position,  and  every  q-position  is  followed  by  an  r-position,  then  certainly 
every  p-position  must  be  followed  by  an  r-position. 

Rule  MON-RESP  (Monotonicity  of  Response): 

{p=X>q  ,  p P  ,  q -♦  q}  b  P=X>q 

This  rule  allows  us  to  replace  in  a  valid  response  formula  the  antecedent  p  by  a  stronger 
assertion  p,  and  the  consequent  q  by  a  weaker  assertion  q,  and  obtain  another  valid 
response  formula. 

Rule  DISJ  (Disjunction  of  Response): 

{p=j>Or  ,  q=HC>r}  h  (pVq)=X>r 

This  rule  combines  the  two  response  formulae,  p=>-Or  and  q=4>-Or,  into  the  formula 
(p  V  q)=X>r.  It  allows  us  to  prove  the  last  formula  by  separately  considering  the  case 
that  p  holds  and  the  case  that  q  holds.  In  this  way  it  supports  proof  by  case  analysis. 
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local  x.y  :  integer  where  x  =  0  ,  y  =  0 


’  to  :  while  x  =  0  do 

■  mo  :  X  :  = 

1  ■ 

[f,  :  y  :=  y  -f  l] 

11  P2-- 

m,  : 

Figure  3:  Program  TERM:  A  terminating  program. 

6.1  The  Basic  Response  Rule 

The  axiom  and  three  rules  listed  above  are  independent  of  the  particular  program  ana¬ 
lyzed,  and  describe  basic  properties  of  the  response  operator.  We  now  pre.‘<ent  a  rule  that 
enables  us  to  establish  the  validity  of  a  response  formula  over  a  program. 

The  rule  singles  out  a  particular  just  transition  G  J-  to  which  we  refer  a.s  the 
helpful  transition.  It  can  establish  response  formulae  that  can  be  achieved  by  a 

single  activation  of  the  helpful  transition  t/,.  We  therefore  refer  to  this  rule  as  the  basic 
or  single  step  response  rule.  The  rule  uses  the  auxiliary  intermediate  assertion  -r"  which 
describes  the  situation  between  the  occurrence  of  p  and  the  occurrence  of  c/. 

RESP  (Basic  Response  rule) 

Rl.  p  —*  (q  y  'P) 

R2.  {P}7{q\/'P) 

R3.  {p’}Th{q} 

R4.  'f  Eni'^h) 
p=^q 

Premise  Rl  ensures  that  p  implies  q  or  9.  Premise  R2  states  that  any  transition  of  the 
program  either  leads  from  ‘F  to  q  or  preserves  V’.  Premise  R3  states  that  the  helpful 
transition  leads  from  to  q.  Premise  R4  ensures  that  is  enabled  as  long  as  P  holds, 
It  is  not  difficult  to  see  that  if  p  happens,  say  at  position  i  >  0.  but  is  not  followed  by 
a  q,  then  P  must  hold  continuously  beyond  this  position,  and  the  helpful  transition  is 
never  taken  beyond  i.  The  latter  fact  follows  from  premise  R3,  which  states  that  taking 
from  a  <F-state  immediately  leads  to  a  q-state,  contradicting  the  assumption  that  q  never 
happens  beyond  i.  However,  due  to  R4,  this  means  that  t/i  is  continuously  enabled  but 
never  taken  beyond  position  i,  which  violates  the  requirement  of  justice  for 

Example 

We  illustrate  the  application  of  rule  RESP  on  program  TERM  presented  in  Fig  3 

This  program  consists  of  two  processes.  Pi  and  P2-  Process  Pi  continuously  increments 
y  while  waiting  for  x  to  become  nonzero.  Process  P2  consists  of  a  single  statement, 
assigning  1  to  x. 

The  response  property  we  wish  to  establish  for  this  program  is  that  of  termination. 
It  can  be  expressed  by  the  formula 

(af_fo  A  a<_mo  A  X  =  0)  (a<_f2  A  al.ruj), 

that  states  that  the  event  of  being  at  the  beginning  of  the  program  (at_fo  A  at^ruo)  is 
eventually  followed  by  the  event  of  being  at  the  end  of  the  program  (at-f2  A  al_rn, ). 
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This  property  is  established  by  a  sequence  of  lemmas,  each  applying  one  (jf  the  rules 
presented  above. 

Lemma  1  eventually  set  to  1) 

(at_/’o  A  af_mo  A  X  =  0)  =tK>  (at-fo.i  A  af_mi  A  x  =  M 

This  lemma  claims  that  variable  x  is  eventually  set  to  I  by  process  /h.  which  then 
moves  to  mi.  When  this  happens,  process  P\  is  still  executing  within  the  loop  P)  i 
To  prove  the  lemma  we  choose 

p  :  n/_(o  A  rtJ'^mo  A  X  =  0 
:  at^fo  i  A  at_nio  A  x  =  0 

■  Auo 

q  :  A  at^m^  A  x  =  1 

and  apply  rule  RESP. 

It  is  not  difficult  to  see  that  p  implies  v-  It  is  also  clear  that  taking  from  a  r^-slate 
leads  to  a  state  satisfying  q  (establishing  premise  R3).  and  taking  any  other  transition, 
i.e.,  Tf^  or  preserves  'P  (establishing  premise  R2).  Obviously  y  implies  that  t„.^  is 
enabled  (establishing  premise  R4). 

Lemma  2  (from  (q  to  ^2) 

(af_£o  A  af_mi  A  X  =  1 )  =>-0  (af_£2  A  af.mj ) 

Follows  from  rule  RESP,  by  taking  =  p  and  . 

Lemma  3  (from  ii  to  £0) 

(af_£i  A  af_mi  A  X  =  1)  =>-0  (af_^o  A  a<_mi  A  i  =  I ) 

Follows  from  rule  RESP,  by  taking  V’  =  p  and  t/,  =  . 

Lemma  4  (from  £1  to  £2) 

(af_£i  A  af.mi  A  X  =  1)  =>-0  (at_£2  A  a<_mi) 

Follows  by  transitivity  (rule  TRNS)  from  Lemma  3  and  Lemma  2. 

Lemma  5  (from  £0,1  to  £2) 

(af_£o,i  A  af_mt  A  X  =  1)  =X>  (a/_£2  A  cf_mi ) 

Follows  by  rule  DISJ  from  Lemma  2  and  Lemma  4,  using  the  equivalence 

(af_£o  A  at-TTii  A  x  =  1  \ 

V  I 

at_£j  A  af_mi  A  x  =  1  / 

Lemma  6  (from  {£o,tno}  to  {£2,mi}) 

(af_£o  A  a<_mo  A  X  =  0)  =>0  (at_£2  A  af_mi) 

This  lemma,  which  establishes  the  termination  property,  follows  by  rule  TRNS  from 
Lemma  1  and  Lemma  5.  j 
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6.2  The  Chain  Rule  for  Response 

The  basic  response  rule  supports  the  proof  of  response  properties  whirl)  are  est a!>l!>-lj<‘<i 
by  a  single  helpful  step.  .As  we  have  seen,  even  the  simple  example  above  re<|uires  ^e\eral 
helpful  steps  to  achieve  its  goal,  i.e.,  termination.  When  the  number  of  lieljjful  '.te])s 
required  is  small  and  fixed  we  ran  use  a  sequence  of  lemmas,  each  considering  a  single 
helpful  step,  and  then  combine  their  results  by  transitivity  and  case  splitting.  However, 
for  the  case  that  a  large  number  of  helpful  steps  is  required,  we  iiuroduct*  below  a  more 
powerful  rule  that  allows  us  to  combine  the  helpful  steps. 

The  following  rule  for  establishing  p=>-Og  uses  .several  internu diait  as.sertion>  that 
hold  between  the  position  satisfying  p  and  the  position  satisfying  the  goal  </.  W'«>  denote 

these  assertions  by  where  i  =  i . r.  Each  intermediate  assertion  r,  is  assoi  lafed 

with  a  just  transition  t,  G  J .  that  i.s  identified  as  helpful  for  r,.  For  uniformity,  we  defuie 
'Po  '■  q- 

W'e  can  interpret  the  index  i  of  the  intermediate  assertion  -f,  as  a  measure  uf  the 
distance  of  the  current  state  from  a  state  that  satisfies  the  goal  q.  Thus,  the  lower  tin- 
index,  the  closer  we  are  to  achieving  the  goal  q.  For  a  state  s.  let  r,  be  the  intermediate 
assertion  wdth  the  smallest  i  s.t.  -P,  holds  on  s.  We  refer  to  the  index  t  as  the  rank  of 
state  s. 

Assuming  that  these  constructs  have  been  identified,  the  following  rule  establishes  the 
P- validity  of  the  formula  p=x><7- 

CHAIN  (Chain  Rule  for  Response) 

Cl.  V 

C2.  ] 

C3.  forz  =  l, - r 

C4.  P,  — >  En(r,) 
p=i-Oq 

Premise  Cl  requires  that  p  implies  that  one  of  the  intermediate  assertions  P,  (possibly 
Po  =  q)  holds.  Premise  C2  requires  that  taking  any  transition  from  a  'r, -state  results  in  a 
next  state  which  satisfies  Pj,  for  some  j  <  i.  Premise  C3  requires  tiiat  taking  the  helpful 
transition  Tj  from  a  -state  s  results  in  a  next  state  which  satisfies  Pj  for  j  <  i,  i.e..  a 
strictly  lower  rank  than  that  of  s.  We  can  view  premise  C2  as  stating  that  the  rank  never 
increases,  while  premise  C3  states  that  the  helpful  transition  guarantees  that  the  rank 
decreases.  Premise  C4  claims  that  the  helpful  transition  r,  is  always  enabled  on  any  state 
satisfying  Pi. 

Assume  that  all  four  premises  hold.  Consider  a  computation  cr  and  a  position  in 
that  satisfies  p.  We  wish  to  prove  that  some  later  position  satisfies  q.  Assume  to  the 
contrary  that  all  positions  later  than  m  (including  m  itself)  do  not  satisfy  q.  By  Cl 
and  C2  each  of  these  positions  must  satisfy  some  pj  for  j  >  0.  to  which  we  refer  as  the 
rank  of  the  position.  By  C2,  the  rank  of  the  position  can  either  decrease  or  remain  the 
same.  It  follows  that  there  must  exist  some  position  k  >  m.  beyond  which  the  rank  never 
decreases. 

Assume  that  i  is  the  rank  of  the  state  at  position  k.  Since  q  is  never  satisfied  and 
the  rank  never  decreases  beyond  position  k.  it  follows  (by  C2)  that  P,  holds  continually 
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beyond  k.  By  C3,  r,  cannot  be  taken  beyond  k.  because  that  would  have  h-d  to  a  rank 
decrease.  By  (’4,  t,  is  continually  enabled  beyond  k  yet.  by  the  argument  above,  it  is 
never  taken.  This  violates  the  requirement  of  justice  for  r,. 

It  follows  that  if  all  the  premises  of  the  rule  hold  then  p=iK>(/  is  /-’-valid. 


6.3  Presentation  of  Proofs  by  Tables 

When  presenting  a  proof  by  rule  CHAIN,  we  usually  do  not  write  down  a  detailed  proof 
of  each  of  the  premises.  Typically,  it  is  enough  to  identify  the  inlerrneiiiale  assert  kuis 

-ri . Yr  and  their  corresponding  helpful  transitions  n . r^.  To  <-onvince  the  reader 

that  the  effect  of  each  transition  on  each  intermediate  eissertion  has  indeed  lieeu  consid¬ 
ered.  we  augment  the  list  of  assertions  and  helpful  transitioms  by  a  transdiov  tahh  that 
indicates  which  transitions  may  lead  from  -f,  to  yj  for  the  various  i.j  =  0 . r.  H>  in¬ 

specting  this  table,  and  finding  out  that  transitions  always  lead  from  r,  to  with  /  > 
and  that  helpful  transitions  always  lead  from  r,  to  yj  with  i  >  j.  and  that  all  transitions 
are  accounted  for.  we  gain  greater  confidence  in  the  correctness  of  the  proof. 

.'Mternately,  if  we  doubt  the  correctness  of  the  proof,  the  transition  table  mentioned 
abov'e  provides  us  with  a  list  of  claims  that  can  be  checked  one  by  one. 

Let  us  consider  the  proof  of  the  response  property 

(af-^o  A  a/_mo  A  X  =  0)  =><>  A  at^mi) 

for  program  TERM  presented  in  Fig.  3.  Previously,  we  have  proven  this  property  by 
individual  applications  of  rule  RESP.  Let  us  now  present  a  proof  of  the  same  property  by 
a  single  application  of  rule  CHAIN. 

As  intermediate  a.ssertions  and  helpful  transitions  we  choose; 


t 

9. 

A 

3 

at_/'o,i  A  at-TUo  A  x  =  0 

mo 

2 

at-iy  A  at^rtii  Ax  =  1 

1 

at^Co  A  a/_mi  A  i  =  1 

4 

0 

at^i2  A  at^m-i 

Next,  we  present  a  transition  table  that  shows  which  transitions  may  lead  from  one 
intermediate  assertion  to  another. 


Ps 

Pi 

Po  =  q 

'-Ps 

mo 

mo 

k 

Pi 

k 

Po 

i 

1 

1 

The  meaning  of  this  table  can  be  interpreted  as  follows.  If  transition  r  appears  in 
the  row  corresponding  to  <r’,  and  the  column  corresponding  to  Yj,  we  say  that  Yj  is  a  r- 
successor  of  and  also  that  r  leads  from  <Pi  to  'Pj.  A  transition  that  appears  underlined 
in  the  row  corresponding  to  is  identified  as  the  transition  that  is  helpful  for  y",. 

For  an  assertion  't>,,i  >  0,  and  a  transition  r,  let  , . . . ,  be  all  the  r-successors  of 
‘F,.  This  implies  that  transition  r  can  lead  from  any  9, -state  only  to  states  which  satisfy 
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one  of  Yj, . rj;.  We  define  the  verification  condition  implied  by  the  tabh»  for  and  ^ 

to  be 

V  •  •  •  V  Yj, 

By  convention,  a  transition  r  that  only  leads  from  y,  to  itself  is  nut.  repjesemeii 
explicitly  at  row  9,.  This  means  that  any  transition  not  appearing  in  row  r.  sati.sfies  the 
verification  condition 

Note  that  if  r  is  disabled  on  all  y,  states  then  it  also  leads  from  r,  to  itself,  Tlie 
corresponding  verification  condition  p,  A  -e,  — >■  y,  holds  trivially  sinc<*  the  antecedent  i- 
false.  Thus,  such  transitions  do  not  appear  in  row  r,. 

VW  define  a  transition  table  to  be  wtll-formed  if 

•  Each  row  for  9.,  i  >  0,  contains  precisely  one  underlined  transilitjn.  which  may 
appear  in  more  than  one  column. 

•  If  r  leads  from  9,  to  9;,  then  t  >  j.  and  if  t  is  underlined,  then  i  >  j. 

A  transition  table  is  defined  to  be  sound  with  respect  to  assertion  p  if  all  the  verification 
conditions  implied  by  the  table  are  valid  and 

•  P  V 

t=0 . T 

•  If  r  is  the  transition  appearing  underlined  in  the  row  for  assertion  9,.  for  t  >  0, 
then  9,  -+  En{T,). 

Obviously,  a  well-formed  transition  table  that  is  sound  with  respect  to  p  establishes 
the  P-validity  of  the  response  formula 

P  =><>  9o' 

Thus,  the  table  above  presents  a  proof  of  the  property 
{at_£o  A  at_mo  A  I  =  0)  =4K>  (at_^2  A 

Note  that  the  more  detailed  information  provided  by  the  transition  table  enables  us 
to  consider  for  each  9i  and  r  the  more  refined  verification  condition 

(9.Ap,)^(9j,  V--- V9;.) 

instead  of  the  condition  required  by  premises  C2,  C3,  which  is 

(9,  A  pr)  — »  {fk  V  9*_i  •  •  ■  V  9o), 

where  A:  =  z  —  1  for  the  case  that  r  is  helpful,  and  k  =  i  otherwise. 

6.4  Presentation  of  Proofs  by  Diagrams 

An  alternative  but  equivalent  presentation  of  proofs  by  rule  CHAIN  can  be  provided  by 
proof  diagrams.  Proof  diagrams  convey  essentially  the  same  information  provided  by 
transition  tables,  but  they  do  it  in  a  more  visual  manner  that  helps  to  trace  the  progress 
from  p  to  ^  along  a  sequence  of  intermediate  assertions  with  decreasing  indices. 
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Flat  Diagrams 

First,  we  consxier  the  representation  of  transition  tables  by  fiat  I  unstruetured  i  diaeraius. 
These  diagrams  are  labeled  directed  graphs  constructed  as  follows; 

•  For  each  assertion  v,, ;  =  0 . r.  we  construct  a  node  ami  lalrel  it  by  r,. 

•  For  each  transition  r  leading  from  -f,  to  we  construct  an  edge  connect  ins  the 
node  labeled  by  y,  to  the  node  labeled  by  y  ,.  and  label  the  edge  by  r.  If  r  is  helpful 
for  r,  the  edge  is  drawn  using  a  double  line,  and  we  refer  to  it  as  a  donblt  tdqt. 
Otherwise,  the  edge  is  drawn  using  a  single  line,  and  is  called  a  singlt  tdgt. 

In  the  case  that  more  than  one  transition  leads  from  r.  to  rg.  we  draw  only  one  edge  and 
label  it  with  the  set  of  these  transitions.  This  is  considered  to  be  equivalent  to  ilie  graph 
in  which  there  is  a  separate  edge  for  each  transition.  If  among  the  transitions  leading  from 
w,  to  -Fj  there  is  one  which  is  helpful  but  the  others  are  not.  it  is  necessary  to  draw  t\V(j 
edges  between  the  corresponding  nodes;  one  double  edge  labeled  by  the  helpful  transit ioji 
and  one  single  edge  labeled  by  all  the  rest. 

In  Fig.  4  we  present  a  flat  diagram  representing  the  transition  table  presented  above. 


'■  A  at-mo  A  {x  —  0)^ 


mo 


^(^2  :  A  at^m\  A  (i  =  1 


:  at-io  A  at-m\  A  (j  =  1)^ 


^  (Fo  •  a  at-TTii  ^ 


Figure  4:  Flat  proof  diagram  for  program  TERM. 

For  a  transition  r  that  labels  an  edge  connecting  a  node  labeled  by  to  a  node 
labeled  by  <Fj,  we  say  that  <Fj  is  a  r- successor  of  F*.  in  the  diagram. 

Verification  Conditions  implied  by  a  Diagram 

As  in  the  case  of  transition  tables,  a  diagram  implies  a  set  of  verification  conditions  that 
are  more  detailed  than  the  uniform  conditions  generated  by  premises  C2  and  Cd  of  rule 
CHAIN.  The  verification  conditions  implied  by  a  diagram  are  defined  as  follows: 

•  Assume  that  t  labels  at  least  one  edge  departing  from  F,,  and  let  F^j _ _ Fj, .  f  >  0, 

be  all  the  r-successors  of  F,-  Then  the  implied  verification  condition  is 


{‘^.}r{F,,  V--- VF,.}. 
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•  For  a  transition  r  that  does  not  label  any  edge  departing  froiu  r-h,  the  inipiied 
condition  is 


A  diagram  is  defined  to  be  well-formed  if 

•  Each  non-goal  node  r,,  i  >  0,  has  at  least  one  double  edge  departina  from  it;  all  of 
then  must  be  labeled  by  ^he  same  transition. 

•  *  ^  i  whenever  an  edge  connects  r,  to  and  i  >  j  when  thi.s  edge  double, 

A  diagram  is  said  to  be  sound  with  irspecl  to  assertion  p  if  all  the  verihraliuu  cotiihticuis 
implied  by  the  diagram  are  valid,  and  so  are  the  implications 

•  P  V 

!=:0 . 7- 

•  A  transition  r  labeling  a  double  edge  departing  from  e,  implies  the  condition 

■P,  —*  En{T) 

A  well-formed  diagram  that  is  sound  with  respect  to  p  establishes  the  P-validity  of  the 
response  formula 

p  =X>  Po. 

Structured  Diagrams 

When  considering  large  and  complex  programs,  the  flat  diagrams  we  have  introduce  above 
tend  to  become  cluttered  and  unwieldy.  We  therefore  introduce  several  graphical  conven¬ 
tions,  following  the  style  of  Statecharts  suggested  in  [Har87].  These  conventions  can  be 
described  as  encapsulation  conventions.  They  lead  to  more  structured  and  hierarchical 
diagrams,  which  may  considerably  improve  the  readability  and  manageability  of  la-ge  and 
complex  diagrams. 

Composite  Nodes 

The  basic  construct  of  encapsulation  is  the  introduction  of  a  composite  node  containing 
one  or  more  internal  nodes.  We  refer  to  the  contained  nodes  as  the  descendants  of  the 
composite  node.  Several  levels  of  encapsulation  are  allowed.  We  refer  to  the  nodes  that 
are  not  composite,  i.e.,  do  not  contain  any  internal  nodes,  as  basic  nodes. 

It  is  possible  to  associate  an  assertion  with  each  node  in  the  diagram.  With  the  basic- 
nodes  we  associate  the  assertions  labeling  them.  With  the  composite  node  n  we  associate 
the  assertion  which  is  the  disjunction  of  the  assertions  associated  with  the  descendants  of 
n. 
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Figure  5;  Distribution  of  departing  edges. 

Distribution  of  Common  Edges 

VVe  allow  edges  to  depart  from  or  arrive  to  composite  nodes.  The  interprcUai ion  <jf  an 
edge  departing  from  a  composite  node  is  that  it  is  equivalent  to  identically  ial>e!ed  eriges 
departing  from  each  of  its  descendants.  This  interpretation  is  represented  in  the  grafjhical 
equivalence  presented  in  Fig.  5. 

Note  that  this  is  fully  consistent  with  the  interpretation  of  a  composite  node  as  rep¬ 
resenting  the  disjunction  of  the  assertions  of  its  descendants.  The  diagram  on  tlie  left  uf 
Fig.  5  can  be  interpreted  as  implying  the  verification  condition 

V(^2}r{Tp}, 

since  the  assertion  associated  with  the  composite  node  is  V  The  diagram  on  the 
right  implies  the  two  verification  conditions 

and  {ipijrlil'j. 

Obviously,  the  first  condition  is  equivalent  to  the  conjunction  of  the  other  two. 

Similarly,  we  interpret  an  edge  arriving  at  a  composite  node  as  though  it  arrived 
at  each  of  its  descendants.  This  is  represented  by  the  graphical  equivalence  depicted  in 
Fig.  6. 


Figure  6:  Distribution  of  arriving  edges. 
Again,  both  diagrams  represent  the  verification  condition: 

{<p]  T  {xhx  V  ^2}- 

These  conventions  apply  to  double  edge  as  well  as  to  single  edges. 
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Distribution  of  Common  Conjuncts 


A  last  tiMicapsulal u>u  coiiveiitioii  allows  thf  removal  <jt  a  ('onjmui  'iiat  ruiuuion  tu  tia- 
assertions  of  ail  the  tieseendants  ut  a  composite  tiode.  aini  listing  it  at  the  iasei  ul  ‘1h- 
composite  node.  This  transformation  is  described  hv  the  gra|diical  e<|urwaleii< f  pre^enieij 
in  F'ig  7. 


Figure  7;  Common  conjunct. 


Titus,  any  structured  diagram  is  equivalent  to  a  flat  riiagram.  ('onsequently.  the 
notions  of  well-formed  diagrams  and  the  verification  conditions  implied  i)v  a  diagram  are 
meaningful  also  for  structured  diagrams.  It  is  possible  to  check  whether  a  given  structured 
diagram  is  well-formed,  or  to  list  the  verification  conditions  implied  by  such  a  diagram 
without  actually  constructing  the  equivalent  flat  diagram. 

In  Fig.  8  we  present  a  structured  version  of  the  proof  diagram  previously  presented 
in  Fig.  4. 


Figure  8:  Structured  proof  diagram  for  program  TERM. 

This  diagram  contains  a  single  composite  node,  whose  descendants  are  (labeled  by  )  r  ^ 
and  r=i.  The  double  edge  labeled  by  rrio,  connecting  to  this  composite  node,  represents 
the  two  edges  connecting  ‘Fa  to  the  nodes  and  ‘Fi  in  the  diagram  of  Fig.  4.  Note  also 
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the  common  conjunct  at^irii  A  x  =  1,  that  has  been  factored  out  ot  th«-  two 
and  now  labels  the  composite  node. 


6.5  Accessibility  for  Peteron’s  Program 

The  main  response  property  for  mutual  exclusion  proarams  is  that  of  cu-ci  u.  1  tn^ 

property  states  that  whenever  a  process  departs  from  its  tiun-critii  ai  m-cijuh  it  !s  euarat! 
teed  to  eventually  reach  the  critical  section. 

For  program  PET  of  Fig  1.  this  property  can  be  expressed  by  the  response  huintda 

at^f  2  =>-0 

In  the  response  proof  we  make  use  ol  the  assertion 

proven  to  be  invariant  in  Subsection  5.3. 

In  Fig.  9  we  present  an  assertion  diagram  for  the  proof  of  this  re'-ponse  property. 

The  diagram  traces  the  progress  of  Pi  from  (2  to  fs-  Process  P]  can  progress  from  i': 
(•eg)  to  £3  (-F7)  and  then  to  ^4  with  no  interference  from  P2.  However,  once  location  (4  is 
entered,  it  is  necessary  to  analyze  the  precise  location  of  process  entering  /4,  P: 

may  be  in  any  of  its  locations  mo-mg  and  s  is  set  (by  transition  F3)  to  1.  This  range  of 
possibilities  is  covered  by  assertions  (nodes)  ’■p2—p6‘  We  use  the  invariant  assertion  *-'i  to 
assign  the  appropriate  value  of  y2  corresponding  to  each  of  these  Ications. 

Within  the  composite  node  corresponding  to  £4,  most  of  the  progress  is  accomplished 
by  P2-  Thus,  transitions  m4,  mj,  and  mg  are  responsible  for  moving  the  computation  out 
of  states  described  by  assertions  y’gt  and  <^4,  respectively. 

Assertion  V’s  is  an  exception,  because  here,  it  is  again  the  responsibility  of  P\  to 
guarantee  an  exit.  We  cannot  rely  on  P2  because  it  is  allowed  to  remain  at  the  non- 
critical  section  rrii  forever.  However,  while  £4  is  the  helpful  transision  for  r3  (enabled 
because  j/j  =  it  is  not  necessarily  the  transition  taking  the  computation  out  of  re¬ 
states.  It  is  possible  that  mj  is  taken  first.  In  that  case,  the  computation  moves  to  -Fi. 
where  £4  is  no  longer  enabled,  but  m3  is.  Finally,  if  the  computation  reaches  rj.  then 
£4  is  enabled  again  (since  s  =  2)  and  guarantees  an  eventual  exit  to  the  goal  assertion 

•pQ  : 

6.6  Accessibility  for  Dekker’s  Program 

Next,  we  consider  program  DEKKER.  Accessibility  for  program  DEKKER  is  expressible  by 
the  response  formula 

at-i2  =M>  at^£s- 

That  is,  any  state  in  which  Pi  is  observed  to  be  at  £2,  implying  that  it  is  interested  in 
entering  its  critical  section,  must  eventually  be  followed  by  a  state  in  which  Pi  is  observed 
to  be  at  the  critical  section  A  similar  property  is  claimed  for  P2. 

We  partition  the  proof  of  the  accessibility  property  into  two  lemmas,  proving  respec¬ 
tively, 


26 


Lemma  A 

at-f2  =>~0  A  f  =  1)  V  a/_/'s). 

Lemma  B 

A  f  =  1  =>-0  at-fg. 

Obviousiy.  the  difficult  part  of  the  protocol  is  the  loop  at  A,.  Leniiiia  B  states  that  if 
P]  is  within  this  loop  and  has  the  higher  priority,  represented  by  f  —  1.  then  it  will  get 
to  fg.  Lemma  A  claims  that  if  f\  is  just  starling  its  jounnyv  towards  the  rriiicai  section, 
then  it  will  eventually  gain  a  higher  priority  or  get  to  fg  anyway. 

Clearly,  by  combining  these  two  responsiveness  properties,  we  obtain  the  act  essirulit y 
property. 

Proof  of  lemma  A 

The  proof  of  the  response  property 

=^f-0  ({ai-fs..-  A  f  =  1)  V  af-fa) 

is  presented  in  the  diagram  of  Fig.  10. 

It  is  easy  to  follow  P]  from  to  £3.  If  on  entry  to  ^3.  t  =  I.  then  we  are  already  at 
the  goal  Otherwise  we  enter  (3  with  t  =  2.  From  (3  we  can  either  take  ^3  and  reach 
^8  {if  2/2  =  t),  which  again  is  part  of  the  goal,  or  proceed  to  (if  j/2  =  f).  From  £4,  we 
proceed  to  £5  since  t  —  2,  and  then  to  while  resetting  t/i  to  f.  While  being  at  P2 

may  still  set  f  to  1  by  performing  mg,  and  then  again  we  move  to  v?o- 

However,  once  we  enter  £(,,  Pi  stavs  at  £$  waiting  for  t  to  change  to  1.  At  that  point 
we  have  to  inspect  where  P2  may  currently  be.  We  consider  as  possible  locations  of  P2 
all  of  ms-mg,  tracing  their  possible  flow  under  the  relatively  stable  situation  of  t  =■  2. 
yi  =  F.  We  see  that  all  transitions  are  enabled  and  lead  to  mg  which  eventually  sets  t  to 
I  as  required. 

A  tacit  aissumption  made  in  this  diagram  is  the  exclusion  of  mio,  mg,  mi.  and  m2  as 
possible  locations  while  P\  is  at  £$  with  j/i  =  F  and  t  —  2.  This  assumption  must  hold  for 
the  program  if  we  believe  lemma  A  to  be  valid.  Indeed,  consider  the  situation  that  Pi  is 
waiting  at  £e  with  j/i  =  F  and  t  =  2,  while  P2  is  at  mi.  Since  P2  is  allowed  to  stay  at  the 
non-critical  section  forever,  this  would  lead  to  a  deadlock,  denying  accessibility  for  Pi. 

More  Invariants 

From  the  discussion  above,  it  follows  that  if  program  DEKKER  is  correct,  and  guarantees 
accessibility  to  both  processes,  then  the  following  assertion  must  be  invariant: 

^2  •  of-^4..6  A  i  =  2  — >  af_m3..g. 

The  proof  of  lemma  A  only  needs  {at^£^  f\  [t  —  2}^  —*  af_m3.,g,  but  it  is  easy  to 
see  that  if  we  had  at_£4,s  A  i  =  2  A  -iaf_m3.,9,  we  could  immediately  proceed  to  a  state 
satisfying  at-£e  A  2  =  2  A  -<at-m2..9  violating  the  assumption  of  the  diagram. 

By  symmetry  we  should  also  require  the  invariance  of 

^2  ■  a2_m4..6  At  —  I  — ►  af_£3..9. 
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Figure  10:  Proof  diagram  for  lemma  A. 
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Let  us  check  the  verification  conditions  for  -fi- 
Clearly,  '^2  is  implied  by  0. 

There  are  three  transitions  that  may  potentially  falsify  r  j. 

•  Transition  029  —  making  af_rn;i  9  false. 

This  transition  sets  t  to  1  which  makes  t  =  2  fal.se  and  lieiice  [irt-serves  tiic  ti  iaii  uf 
the  assertion. 

•  Transition  £9  —  making  t  —  2  true. 

This  transition  leads  to  af_Co  which  makes  false, 

•  while  t  =  2  —  making  af_f4.fi  true. 

This  is  possible  only  if  y-i  =  t  which,  by  t’,  :  *-*  j  V  i„).  impin-'' 

af.ms.iQ.  This  almost  gives  us  af_m,3,9.  with  the  exception  of  mio-  We  tiui.^  in-ed 
additional  information  that  excludes  the  possibility  of  F2  being  at  ruio  whiie  t  =  2. 
This  information  is  provided  by  the  invariants  we  will  develop  next. 

Clearly,  whiie  entering  mio  from  mg,  P2  sets  <  to  1.  Can  Pi  change  it  back  to  2.  while  /'^ 
is  still  at  mio?  The  answer  is  no,  because  mjo,  as  we  see  in  q  :  -^(af_fg  10  A  ,^1.  is 

still  a  part  of  the  critical  section  and  therefore  fg,  the  only  statement  capable  of  changing 
t  to  2.  cannot  be  enabled. 

This  leads  us  to  the  invariance  of 

tt’3  ;  af_mio  — ►  f  =  1 

and  its  symmetric  counterpart 

>^3  :  at-iio  t  =  2. 

To  prove  ^3,  we  should  inspect  two  transitions; 

•  Transition  mg  —  making  a<_mio  true. 

This  transition  sets  <  to  1. 

•  £s  while  af_mio  —  making  t  =  1  false. 

Impossible  due  to  the  invariance  of  q  :  ->(af_f8  .10  ^  of-^s  .io)- 

This  establishes  the  invariance  of  V3  and  symmetrically  '^3.  Having  L'3  we  can  use  It  to 
show  that  the  last  transition  considered  in  the  proof  of  ^2,  namely  fj  while  t  =  2.  implies 
(excluding  af_mio),  which  establishes  the  invariance  of  t^2- 

Proof  of  Lemma  B 

Lemma  B  states  that  if  Pi  is  within  the  waiting  loop  I3  with  higher  priority,  i.e.,  <  =  ! .  then 
eventually  it  will  reach  fg-  H  is  stated  by  {at-iz  ^  A  f  =  1)  =>-Oaf_£8.  The  proof  is 
presented  in  the  diagram  of  Fig.  11. 

The  diagram  identifies  several  major  phases  in  the  progress  of  P]  towards  its  critical 
section.  First  we  follow  Py  through  until  it  reaches  £3.4.  Its  progress  is  not 

hindered  at  £$,  since  f  =  1,  and  no  transition  of  P2  can  change  this  fact.  Once  P;  gets  to 
£3,4  with  j/i  =  T,  the  diagram  recognizes  the  following  cases: 
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•  Pi  is  at  mg  u)  with  1/2  =  T. 

Eventually  P2  departs  through  rn^o  tt)  ruo-  while  s<uiing  1./2  to  F. 

•  Fi  is  at  fUo  2,7  with  yi  =  F. 

There  are  two  ways  to  exit  out  of  this  situation.  Either  Pi  will  rearli  and  perforui  F, 
first,  exiting  from  the  white  k)op  to  the  critical  section.  .Miertiately.  I’,  may  iu  rlorin 
first  one  of  or  rn-  and  move  to  oi  j.  while  s«-tting  fo  t. 

•  P2  is  at  rn.i.  s  with  .i/2  ~  T. 

Eventually,  P2  performs  and  moves  to  r/o;  while  MUting  y^  to  F. 

•  P2  is  at  ruti  with  y2  =  F. 

Clearly.  P2  is  now  blocked  at  rua  since  t  =  1.  This  allows  F\  t(j  advanie  at  its  nwn 
pace  to  f'a.  find  y-i  =  F.  and  move  to  the  critical  section  at 

Note  our  efforts  to  minimize  the  number  of  assertions  by  grouping  together  '■ituatimis 
with  different  control  configurations  wherever  possible.  Thus,  for  all  the  states  where  1/2  = 
T  and  P)  is  either  at  ^3  or  at  £4,  we  do  not  distinguish  between  these  two  possibilities,  but 
partition  the  diagram  according  to  the  location  of  P2.  This  is  because,  in  this  particular 
situation,  it  is  P2  which  is  the  helpful  process  and  we  have  to  trace  its  progress. 

On  the  other  hand,  when  y^  =  f.  Pi  becomes  the  helpful  process  and  we  start  dis¬ 
tinguishing  betw'een  the  cases  of  af_f3  and  while  lumping  together  the  locations  of 

Pi  into  two  groups:  mo.,2.7  and  me-  These  two  groups  must  be  distinguished  because  it  is 
possible  (though  not  guaranteed)  to  exit  the  first  group  into  a  situation  of  1/2  =  T.  but  it 
is  impossible  to  exit  into  such  a  situation. 

This  concludes  the  proof  of  the  accessibility  property  for  Dekker  s  program. 


7  Precedence  Properties 

Next,  we  consider  properties  that  are  expressed  by  formulas  of  the  form 
p  =>-  W(?iWqo, 

for  any  r  >  0.  Adepts  in  temporal  logic  will  recognize  this  formula  as  a  nested  v:aitnig-far 
formula.  For  our  purposes  here  it  suffices  to  consider  it  as  a  temporal  operator  of  r  -r  2 
arguments. 

To  define  the  semantics  of  this  operator,  we  deal  with  half-open  intervals  of  the  form 
[i,,j),  for  i  <  j.  Such  an  interval  consists  of  all  the  positions  k,  such  that  i  <  k  <  j.  .Note 
that  if  t  =  j  the  interval  is  empty.  For  the  two  intervals  [z  .j)  and  we  say  that  the 

second  interval  is  adjacent  to  (or  follows)  the  first,  and  observe  that  their  union  is  the 
half  open  interval  [i..A:).  We  also  allow  intervals  of  the  form  for  an  integer  t  >  0. 

and  the  interval  [u;,u;)  which,  by  definition,  is  empty. 

Given  a  computation  a  :  sq,Si,  . . .,  we  say  that  the  interval  [i..j)  is  a  p-interval  if  for 
every  k  6  (E-i),  -S/t  satisfies  p.  By  definition,  an  empty  interval  is  a  p-interval  for  every 
assertion  p. 

A  computation  a  is  said  to  satisfy  the  precedence  formula  p^^-qrV^  . . .  VVb/i  W'^o  if 
for  every  p-position  i  there  exists  a  sequence  of  positions  i  =  ir  <  tr-i  <  ■  •  •  <  '0  £ 
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such  that  [zr-.Zr-i)  is  a  (/r-intervai..  . .  ,[<i.,eoi  is  a  interval,  and  finally  if  <'  then 
t'o  is  a  90'Position.  That  is,  it  requires  that  any  Reposition  initiates  a  (R,  uiterval.  wiiii  h 

is  followed  by  a  -interval . which  is  followed  by  a  t/]-!nlerval.  which  either  extends 

to  infinity  or  is  terminated  by  a  9o-pt>sition.  Note  that  this  definition  allows  some  (;f  tiie 
intermediate  intervals  to  be  empty,  and  any  of  them  to  extend  to  infinity,  in  wliich  ca.se. 
all  succeeding  intervals  are  empty  and  there  is  no  ternnnating  </o-position. 

The  precedence  formula  p^q-W  . .  .  Wqi  W'</o  is  .said  to  be  P -valid  if  it  satisfied  by 
all  computations  of  program  P. 

7.1  Bounded  Overtaking 

Consider  program  PET  of  Fig.  1.  In  the  previous  section  we  proved  that  whenever  process 
Pi  exits  its  non-critical  section  it  eventually  reaches  its  critical  section.  However,  this 
guarantee  puts  no  measure  on  how  long  it  takes  for  Pj  to  reach  the  rritica!  section.  In 
particular,  it  allows  the  algorithm  to  be  grossly  unfair  to  one  of  the  processes,  allowing  Pj 
one  critical  entry  for  each  10  critical  entries  of  Pj.  To  specify  that  this  does  not  happen 
and  that  the  algorithm  is  reasonably  fair  to  each  of  the  processes,  we  may  impose  the 
following  requirement; 

From  the  time  P)  is  at  £4,  Pi  may  enter  its  critical  section  ahead  of  P\  (overtake 
Pi)  at  most  once. 

We  refer  to  this  property  as  l-bounded  overtaking. 

For  program  PET,  l-bounded  overtaking  from  location  £4  can  be  specified  by  the 
precedence  formula 

arf_^4  FV(ai_m5.6)  VV(-’a#_m5,6)  Wai_/s,6 

The  formula  states  that,  if  Pi  is  currently  at  £4,  then  there  may  be  an  interval  in  which 
Pi  is  not  in  mj.e,  followed  by  an  interval  in  which  P2  is  in  ms.e,  followed  by  an  interval  in 
which  Pi  is  not  in  rn^s,  followed  by  an  entry  of  Pi  to  ^5.6.  Any  of  the  intervals  may  be 
empty,  in  particular  the  interval  of  P2  being  in  ms.e,  which  also  allows  the  entry  of  Pi  to 
is.6  without  Pi  getting  to  ms.e  first.  Also,  any  of  the  intervals  may  be  infinite,  in  which 
case  all  the  following  intervals,  as  well  as  the  entry  of  Pi  to  ^5.6,  are  not  guaranteed.  This, 
however,  is  not  possible  because  of  the  previously  proven  accessibility  property  for  Pi . 

7.2  A  Rule  for  Precedence 

We  present  a  single  rule  PREC  for  proving  precedence  formulas.  Similar  to  rule  CHAIN, 
rule  PREC  uses  auxiliary  assertions  ■  ■  ■  dPr  that  strengthen  eissertions  qo . qr. 


PREC  (Precedence  Rule) 

PI.  p  —  Vv?. 

t=0 

P2.  q. 

o’ 

11 

p 

P3,  (V,)T(VW) 

for  1  =  1 . r 

}<i 

P^qrWqr-l  ■ 

•  ■  <7i  yVqo 
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To  justify  this  rule  consider  a  state  satisfying  p.  By  premise  FI.  it  also  satisfies 

VTj.  It  follows  that  there  exists  some  index  jk.  0  <  <  r.  such  that  satisfies  .- 

1=0 

Ifjk—0  we  are  done,  since  ro  terminates  the  required  sequence  of  ititervals.  Otherwise. 
jit  >  0  and  we  consider  s^+i  the  successor  of  si..  Premise  F3  implie.s  that  satisfies 
for  some  j^+i  <  jk.  We  now  repeat  the  argument  for  Sk+i.  and  so  mi.  Denoting  tfie 

indices  of  the  assertions  established  for  .s^  and  its  succes.sors  by  jk-jk-^i . premise  fO 

guarantees  that  the  sequence  of  indices 

Jk  >  j\-4-l  >  ■  •  ■ 

is  nonincreasing,  and  that  it  can  either  terminate  at  some  ~  0  or  extend  to  infinite  It 

is  not  difficult  to  see  that  this  guarantees  a  sequence  of  intervals,  h.  L-\ . /i  satisfying 

respectively 


'er.  ICr-l . 

which  may  either  terminate  at  a  slate  satisfying  yq  or  extend  to  infinity,  Ciearlv,  some 
of  these  intervals  may  be  empty.  By  premise  P2.  any  interval  or  state  satisfying  r.  also 
satisfies  9,.  It  follows  that  W  qr-i  ■  ■  .qi  VV  holds  at  position  k  in  the  computation. 

7.3  1-Bounded  Overtaking  for  Peterson’s  Program 

As  explained  above,  1 -bounded  overtaking  for  Peterson's  program  is  specified  by  the 
formula 

at_f4  W(af_m5.6)W(-iaf_m5,6)  W(af_f.^,6) 

We  use  rule  PREC  to  prove  this  property  for  program  PET. 

To  use  rule  PREC,  we  have  to  find  four  assertions  ^0i  ^i^  '^2*  '^3^  whose  disjunction 
is  implied  by  at^i^  (satisfying  Pi),  which  strengthen  the  assertions 

-'at.mss,  respectively  (satisfying  P2),  and  which  satisfy  the  verification  condi¬ 
tions  of  premise  P3  of  the  rule. 

A  natural  candidate  for  ‘fo  is  af_4.6  itself, 

Yo  '• 

because,  obviously,  it  terminates  the  waiting  period.  Proceeding  to  -Fi,  the  assertion  ri 
should  strengthen  -iaf_ms,6,  and  we  can  safely  add  to  it  the  conjunct  since  the 

whole  period  starts  with  Pi  at  £4  and  terminates  by  P,  moving  to  £5. 

W/hat  additional  information  should  we  include  in  Considering  the  role  of  v]  in 
the  precedence  formula  and  premise  P3,  'Fi  should  be  such  that  the  only  exit  to  a  (~’>^i  )- 
state  would  be  to  an  (a<_^s  ej'State.  It  follows  that  ‘fi  should  characterize  all  the  states 
in  which  the  next  entry  to  a  critical  section  will  be  by  Pj,  i.e.,  ail  the  states  in  which  P, 
has  a  definite  priority  over  P2. 

Observing  that  af_f4  A  at^m^  A  s  =  2  is  one  such  a  state,  we  can  add  to  the  assertion 
all  other  states  from  which  this  state  is  reachable  by  movements  of  Pj  alone.  This  leads 
to  the  assertion 

;  a<_^4  A  {at-ma  2  V  {at^m^  A  s  =  2)^ 
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For  the  assertion  -r:-  it  seems  sufficient  to  take 
'Pi  '■  at-U  A  at-ms,6. 

For  rs  we  have  to  characterize  all  the  states  in  which  /h  has  priority  over  f\.  ’.viiirii  wait- 
at  Seeing  that  vj  and  'Pi  cover  almost  all  the  configurations  satisfying  the  only 

remaining  one  is  given  by 

Fa  :  at-p4  A  A  s  =  1. 

From  the  way  'Pq-^s  were  constructed,  it  is  obvious  that  implies  their  disiunctiiu! 

(premise  PI),  that  each  of  them  is  a  strengthening  of  the  corresponding  assertion  in  the 
precedence  formula  (premise  P2),  and  that  'F1-V3  satisfy  premise  P3  of  rule  PREo. 

7.4  Tables  and  Diagrams  for  Prr  tedence  Proofs 

Similar  to  proofs  by  rule  CHAIN,  proofs  by  rule  .  .tEC  can  be  presented  by  both  transition 
tables  and  proof  diagrams.  The  main  differences  are  that  we  no  longer  identify  helpful 
transitions  and  that  the  existence  of  a  table  entry  or  graph  edge  leading  from  r.  to  /■ 
only  requires  that  t  >  j. 

For  example,  the  proof  of  1 -bounded  overtaking  from  £4  can  be  represented  by  the 
following  table: 


Pi 

'  /*<  i 

n 

Po 

y’3  ;  at^i4  A  af_m4  A  s  =  1 

m4 

^2  :  at^i4  A  at-TUss 

me  ■ 

'Pi  :  at_i4  A  (at^mo..3  V  {of_m4  A  s  =  2)^ 

u 

'Po  '■ 

1 

It  can  also  be  presented  in  the  proof  diagram  of  Fig.  12 
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